In a secure group communication, messages between a group coordinator and members are protected by session keys. If a group’s membership changes, the session keys should be updated to insure forward secrecy and backward secrecy. Zhou and Huang proposed a key-updated scheme based on ciphertext-policy attribute encryption algorithm to improve the security of key-update mechanism, but their scheme is vulnerable: a malicious group member may send forged key-update messages to control the group. In this paper, we analyze the vulnerability in Zhou and Huang’s scheme and propose an enhanced scheme. In our scheme, only the group initiator can update group keys and the verification of key-update mechanism is improved to prevent malicious insiders from controlling the group. We also give a security and performance analysis of our scheme.
In recent years, social networks such as Google+, Facebook, and Twitter are receiving wide popularity and provide much convenience in people’s daily life. In a social network, people can maintain their own social circles freely, such as adding or removing their friends and sharing messages to specific members within a group.
Social networks are based on cloud computing technology. In a cloud service, users’ data and documents are not stored in their computers, but on cloud servers. In most cases, users’ data is not encrypted and, therefore, is vulnerable to system vulnerabilities, unauthorized access, and privacy leak under government’s censorship [
The secure multicast technique can be used to enhance users’ privacy in social networks [
Chang et al. [
However, we have discovered certain security issues in the EGK model. For example, a malicious group member may launch the following attacks within EGK. (1) He may perform Man-in-the-Middle (MITM) attacks to intercept group communications and modify the group coordinator’s messages. (2) He may masquerade as the coordinator and forge the key-update message and become the new coordinator. In Jia et al.’s EGK-based scheme [
In this paper, we analyze the security issues in EGK and propose a new secure key management scheme. Our scheme resists the MITM attack and masquerade attack. The rest of this paper is organized as follows. In Section
Zhou and Huang [
When a new member joins a specific group, the coordinator generates a new group key and sends it to the new member by a secure channel and uses the old group key to encrypt the new one and sends it to the members. When a member leaves the group, the coordinator uses the Quine-McCluskey algorithm [
The notations used in EGK are listed in Notations.
At this stage, a group coordinator creates a group and the maximum membership of the group is
When a new member joins a group, the group coordinator gives to the member a unique He generates a random value He calculates According to He performs the mapping of He generates a private key At last, the coordinator sends
When a group coordinator is going to multicast a message, he can use a different bit-assignment to assign specific members to decrypt the message. Then, he has to run the Quine-McCluskey algorithm to minimize all group members’ IDs. The IDs are compared in pairs and reduced until there is no pair with only one bit different. The irreducible IDs are taken as attributes for encryption:
With the attributes, the coordinator runs the encryption algorithm converting calculating generating a random value calculating calculating calculating generating a ciphertext
After group members receive the encrypted messages, they use their private key and the public parameter to run the decryption algorithm, DEC( The group member verifies whether He converts He calculates He calculates He calculates
When a new member joins a group, the group coordinator generates a new group key
The group coordinator has to run the following steps: Generating a random value Updating his master key Generating a rekeying message Running Quine-McCluskey algorithm to minimize the remaining members’ IDs until there are Using each attribute to run the encryption algorithm ENC
After receiving the ciphertext, the group members run the following steps: Performing the decryption algorithm DEC(Params, SK, Multiplying Updating his session key
In EGK, a malicious member may decrypt the group coordinator’s message and send the forged message to the members who are associated with the same attributes. The victim members may update their keys and consequently cause desynchronization with the coordinator. Thus, the group coordinator is replaced and the malicious member plays the man in the middle. He takes control of the group. Detailed steps are as follows.
A malicious member decrypts He retrieves He generates a random value He multiplies He sends a forged ciphertext
Therefore, the malicious member can bypass the encryption algorithm ENC and sends a forged ciphertext Calculating Calculating Calculating Calculating Calculating
After decryption, they retrieve the rekeying message
Under such MITM attacks, the compromised members’ private keys become Calculation of Calculation of Calculation of Calculation of Calculation of
After the division in step (5), the compromised members are unable to retrieve the key-update message
A malicious member may modify the whole ciphertext, except Calculating Calculating Calculating Multiplying Calculating Calculating Sending the forged message
After receiving The group members verify whether the received They convert the They calculate They calculate They calculate They calculate They calculate
After the decryption procedure, they retrieve
In EGK, even though a malicious member is unable to decrypt his group coordinator’s ciphertext, he can forge a message and then try the steps of Sections
At this stage a group coordinator creates a multicast group with
When a new member joins the group, the group coordinator assigns a unique ID to the member and associates him with an attribute He generates a random value He calculates He uses He maps He generates a private key
At last, the group coordinator multicasts ID,
When a group coordinator needs to multicast his group, he assigns a unique set of bit-assignment to each group member, so that each member is able to decrypt their ciphertext. Also, the coordinator uses the Quine-McCluskey algorithm to minimize remaining members’ IDs and then calculates attributes
The group coordinator runs ENC( calculates converts the calculates calculates calculates calculates generates
After receiving the ciphertext, group members verify whether their own Conversion of the Calculating Calculating Calculating Calculating Dividing Calculating Verifying if
If a new member joins a group, the group coordinator generates a new session key
Group coordinator performs the following: He generates a random value He updates his master key He generates a rekeying message He uses the Quine-McCluskey algorithm to minimize remaining members’ IDs until there are He runs ENC(
Group members perform the following: After receiving the ciphertext, each group member runs DEC( They multiply They update their session key
We assume a malicious member is in a group coordinator’s communication group. He receives the latest rekeying message and then forges a fake one to other group members. The forged message may arrive before the group coordinator’s rekeying message and successfully rekey the members. By this, the malicious member can cause asynchrony between group members and their coordinator.
After receiving group coordinator’s
We assume a malicious member belongs to a group coordinator’s communication group. He is able to decrypt and retrieve the coordinator’s rekeying message. He forges a rekeying message and sends it to other group members.
With Summing up the previous attributes Calculating Calculating Calculating
Since
If a group coordinator removes a member from the group, he updates his own master key and runs the encryption algorithm ENC to generate a rekeying message
When a new member joins a group, the group coordinator generates a new session key
In our secure multicast group communication protocol, a group coordinator has to store a set of a public parameter, a master key, and a session key, that is,
As for our computational load, a group coordinator calculates one hash function, one mapping, and three exponentials when running the encryption algorithm. When a group member decrypts a ciphertext, the decryption algorithm requires four mappings and one hash. As listed in Table
Comparison of computational load.
EGK | Our scheme | |||
---|---|---|---|---|
Encryption | Decryption | Encryption | Decryption | |
Coordinator |
|
0 |
|
0 |
Member | 0 | 3 |
0 |
|
Compared with EGK, our encryption algorithm requires sender verification; therefore, it needs to compute one more hash. And our decryption algorithm requires group members to verify messages, so it needs to compute one more hash and one more mapping.
Take Facebook as an example. We assume that it uses our scheme; its member limit is 5000 (
Storage.
Master key | Public parameter | Session key | |
---|---|---|---|
Coordinator |
|
|
|
Member |
|
|
|
Total |
|
|
|
In our scheme, a group coordinator’s communication load is in linear increase with the minimized attributes. If there are
Communication loads for rekeying.
EGK | Our scheme | |
---|---|---|
Coordinator | ( |
( |
Despite having one more hash and one more public parameter compared to EGK, our system’s storage requirement is the same as EGK’s. And the two schemes’ communication loads are also the same.
In this paper, we analyze Zhou and Huang’s key distribution scheme for multicast group communication and find it prone to MITM and desynchronization attacks. These security issues can cause a group coordinator to lose the control over his group and fail to rekey his members. We propose a scheme to enhance the security of EGK. Our scheme guarantees forward and backward secrecy, prevents message modification and forgery during rekeying, requires sender verification, and therefore prevents MITM attacks in group communication.
We hope our secure multicast group communication scheme can be applied to cloud services and social networking sites, so that users can enjoy these services in a secure environment without further loads. And users’ privacy and data integrity can also be secured.
A large prime number
A cyclic additive group of prime order
A cyclic multiplicative group of prime order
Generator,
A bilinear map
One-way hash function
Random values,
Identifier of group members,
A set of bit-assignments
A set of bit-assignments secrets
Public parameter
Group coordinator’s master key
Private keys that a group coordinator multicasts to members of specific ID,
Session key
An attribute that a group coordinator gives to a member of a specific ID (each attribute is the bit-assignment of the ID).
The authors declare that they have no competing interests.
This research was supported by the National Science Council of Taiwan under Grant no. MOST104-2221-E-130-009.